@push.rocks/smartmta 5.1.2 → 5.2.0

package/dist_ts/mail/routing/index.d.ts

@@ -0,0 +1,7 @@
+export * from './classes.email.router.js';
+export * from './classes.unified.email.server.js';
+export * from './classes.dns.manager.js';
+export * from './interfaces.js';
+export * from './classes.domain.registry.js';
+export * from './classes.email.action.executor.js';
+export * from './classes.dkim.manager.js';

package/dist_ts/mail/routing/index.js

@@ -0,0 +1,9 @@
+// Email routing components
+export * from './classes.email.router.js';
+export * from './classes.unified.email.server.js';
+export * from './classes.dns.manager.js';
+export * from './interfaces.js';
+export * from './classes.domain.registry.js';
+export * from './classes.email.action.executor.js';
+export * from './classes.dkim.manager.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy9tYWlsL3JvdXRpbmcvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsMkJBQTJCO0FBQzNCLGNBQWMsMkJBQTJCLENBQUM7QUFDMUMsY0FBYyxtQ0FBbUMsQ0FBQztBQUNsRCxjQUFjLDBCQUEwQixDQUFDO0FBQ3pDLGNBQWMsaUJBQWlCLENBQUM7QUFDaEMsY0FBYyw4QkFBOEIsQ0FBQztBQUM3QyxjQUFjLG9DQUFvQyxDQUFDO0FBQ25ELGNBQWMsMkJBQTJCLENBQUMifQ==

package/dist_ts/mail/routing/interfaces.d.ts

@@ -0,0 +1,187 @@
+import type { Email } from '../core/classes.email.js';
+import type { IExtendedSmtpSession } from './classes.unified.email.server.js';
+/**
+ * Route configuration for email routing
+ */
+export interface IEmailRoute {
+    /** Route identifier */
+    name: string;
+    /** Order of evaluation (higher priority evaluated first, default: 0) */
+    priority?: number;
+    /** Conditions to match */
+    match: IEmailMatch;
+    /** Action to take when matched */
+    action: IEmailAction;
+}
+/**
+ * Match criteria for email routing
+ */
+export interface IEmailMatch {
+    /** Email patterns to match recipients: "*@example.com", "admin@*" */
+    recipients?: string | string[];
+    /** Email patterns to match senders */
+    senders?: string | string[];
+    /** IP addresses or CIDR ranges to match */
+    clientIp?: string | string[];
+    /** Require authentication status */
+    authenticated?: boolean;
+    /** Headers to match */
+    headers?: Record<string, string | RegExp>;
+    /** Message size range */
+    sizeRange?: {
+        min?: number;
+        max?: number;
+    };
+    /** Subject line patterns */
+    subject?: string | RegExp;
+    /** Has attachments */
+    hasAttachments?: boolean;
+}
+/**
+ * Action to take when route matches
+ */
+export interface IEmailAction {
+    /** Type of action to perform */
+    type: 'forward' | 'deliver' | 'reject' | 'process';
+    /** Forward action configuration */
+    forward?: {
+        /** Target host to forward to */
+        host: string;
+        /** Target port (default: 25) */
+        port?: number;
+        /** Authentication credentials */
+        auth?: {
+            user: string;
+            pass: string;
+        };
+        /** Preserve original headers */
+        preserveHeaders?: boolean;
+        /** Additional headers to add */
+        addHeaders?: Record<string, string>;
+    };
+    /** Reject action configuration */
+    reject?: {
+        /** SMTP response code */
+        code: number;
+        /** SMTP response message */
+        message: string;
+    };
+    /** Process action configuration */
+    process?: {
+        /** Enable content scanning */
+        scan?: boolean;
+        /** Enable DKIM signing */
+        dkim?: boolean;
+        /** Delivery queue priority */
+        queue?: 'normal' | 'priority' | 'bulk';
+    };
+    /** Options for various action types */
+    options?: {
+        /** MTA specific options */
+        mtaOptions?: {
+            domain?: string;
+            allowLocalDelivery?: boolean;
+            localDeliveryPath?: string;
+            dkimSign?: boolean;
+            dkimOptions?: {
+                domainName: string;
+                keySelector: string;
+                privateKey?: string;
+            };
+            smtpBanner?: string;
+            maxConnections?: number;
+            connTimeout?: number;
+            spoolDir?: string;
+        };
+        /** Content scanning configuration */
+        contentScanning?: boolean;
+        scanners?: Array<{
+            type: 'spam' | 'virus' | 'attachment';
+            threshold?: number;
+            action: 'tag' | 'reject';
+            blockedExtensions?: string[];
+        }>;
+        /** Email transformations */
+        transformations?: Array<{
+            type: string;
+            header?: string;
+            value?: string;
+            domains?: string[];
+            append?: boolean;
+            [key: string]: any;
+        }>;
+    };
+    /** Delivery options (applies to forward/process/deliver) */
+    delivery?: {
+        /** Rate limit (messages per minute) */
+        rateLimit?: number;
+        /** Number of retry attempts */
+        retries?: number;
+    };
+}
+/**
+ * Context for route evaluation
+ */
+export interface IEmailContext {
+    /** The email being routed */
+    email: Email;
+    /** The SMTP session */
+    session: IExtendedSmtpSession;
+}
+/**
+ * Email domain configuration
+ */
+export interface IEmailDomainConfig {
+    /** Domain name */
+    domain: string;
+    /** DNS handling mode */
+    dnsMode: 'forward' | 'internal-dns' | 'external-dns';
+    /** DNS configuration based on mode */
+    dns?: {
+        /** For 'forward' mode */
+        forward?: {
+            /** Skip DNS validation (default: false) */
+            skipDnsValidation?: boolean;
+            /** Target server's expected domain */
+            targetDomain?: string;
+        };
+        /** For 'internal-dns' mode */
+        internal?: {
+            /** TTL for DNS records in seconds (default: 3600) */
+            ttl?: number;
+            /** MX record priority (default: 10) */
+            mxPriority?: number;
+        };
+        /** For 'external-dns' mode */
+        external?: {
+            /** Custom DNS servers (default: system DNS) */
+            servers?: string[];
+            /** Which records to validate (default: ['MX', 'SPF', 'DKIM', 'DMARC']) */
+            requiredRecords?: ('MX' | 'SPF' | 'DKIM' | 'DMARC')[];
+        };
+    };
+    /** Per-domain DKIM settings (DKIM always enabled) */
+    dkim?: {
+        /** DKIM selector (default: 'default') */
+        selector?: string;
+        /** Key size in bits (default: 2048) */
+        keySize?: number;
+        /** Automatically rotate keys (default: false) */
+        rotateKeys?: boolean;
+        /** Days between key rotations (default: 90) */
+        rotationInterval?: number;
+    };
+    /** Per-domain rate limits */
+    rateLimits?: {
+        outbound?: {
+            messagesPerMinute?: number;
+            messagesPerHour?: number;
+            messagesPerDay?: number;
+        };
+        inbound?: {
+            messagesPerMinute?: number;
+            connectionsPerIp?: number;
+            recipientsPerMessage?: number;
+        };
+    };
+}

package/dist_ts/mail/routing/interfaces.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW50ZXJmYWNlcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL21haWwvcm91dGluZy9pbnRlcmZhY2VzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiIifQ==

package/dist_ts/mail/security/classes.dkimcreator.d.ts

@@ -0,0 +1,72 @@
+import * as plugins from '../../plugins.js';
+import { Email } from '../core/classes.email.js';
+export interface IKeyPaths {
+    privateKeyPath: string;
+    publicKeyPath: string;
+}
+export interface IDkimKeyMetadata {
+    domain: string;
+    selector: string;
+    createdAt: number;
+    rotatedAt?: number;
+    previousSelector?: string;
+    keySize: number;
+}
+export declare class DKIMCreator {
+    private keysDir;
+    private storageManager?;
+    constructor(keysDir?: string, storageManager?: any);
+    getKeyPathsForDomain(domainArg: string): Promise<IKeyPaths>;
+    handleDKIMKeysForDomain(domainArg: string): Promise<void>;
+    handleDKIMKeysForEmail(email: Email): Promise<void>;
+    readDKIMKeys(domainArg: string): Promise<{
+        privateKey: string;
+        publicKey: string;
+    }>;
+    createDKIMKeys(): Promise<{
+        privateKey: string;
+        publicKey: string;
+    }>;
+    createEd25519Keys(): Promise<{
+        privateKey: string;
+        publicKey: string;
+    }>;
+    storeDKIMKeys(privateKey: string, publicKey: string, privateKeyPath: string, publicKeyPath: string): Promise<void>;
+    createAndStoreDKIMKeys(domain: string): Promise<void>;
+    getDNSRecordForDomain(domainArg: string): Promise<plugins.tsclass.network.IDnsRecord>;
+    /**
+     * Get DKIM key metadata for a domain
+     */
+    private getKeyMetadata;
+    /**
+     * Save DKIM key metadata
+     */
+    private saveKeyMetadata;
+    /**
+     * Check if DKIM keys need rotation
+     */
+    needsRotation(domain: string, selector?: string, rotationIntervalDays?: number): Promise<boolean>;
+    /**
+     * Rotate DKIM keys for a domain
+     */
+    rotateDkimKeys(domain: string, currentSelector?: string, keySize?: number): Promise<string>;
+    /**
+     * Get key paths for a specific selector
+     */
+    getKeyPathsForSelector(domain: string, selector: string): Promise<IKeyPaths>;
+    /**
+     * Read DKIM keys for a specific selector
+     */
+    readDKIMKeysForSelector(domain: string, selector: string): Promise<{
+        privateKey: string;
+        publicKey: string;
+    }>;
+    /**
+     * Get DNS record for a specific selector
+     */
+    getDNSRecordForSelector(domain: string, selector: string): Promise<plugins.tsclass.network.IDnsRecord>;
+    /**
+     * Clean up old DKIM keys after grace period
+     */
+    cleanupOldKeys(domain: string, gracePeriodDays?: number): Promise<void>;
+}

package/dist_ts/mail/security/classes.dkimcreator.js

@@ -0,0 +1,360 @@
+import * as plugins from '../../plugins.js';
+import * as paths from '../../paths.js';
+import { Email } from '../core/classes.email.js';
+// MtaService reference removed
+const readFile = plugins.util.promisify(plugins.fs.readFile);
+const writeFile = plugins.util.promisify(plugins.fs.writeFile);
+const generateKeyPair = plugins.util.promisify(plugins.crypto.generateKeyPair);
+export class DKIMCreator {
+    keysDir;
+    storageManager; // StorageManager instance
+    constructor(keysDir = paths.keysDir, storageManager) {
+        this.keysDir = keysDir;
+        this.storageManager = storageManager;
+    }
+    async getKeyPathsForDomain(domainArg) {
+        return {
+            privateKeyPath: plugins.path.join(this.keysDir, `${domainArg}-private.pem`),
+            publicKeyPath: plugins.path.join(this.keysDir, `${domainArg}-public.pem`),
+        };
+    }
+    // Check if a DKIM key is present and creates one and stores it to disk otherwise
+    async handleDKIMKeysForDomain(domainArg) {
+        try {
+            await this.readDKIMKeys(domainArg);
+        }
+        catch (error) {
+            console.log(`No DKIM keys found for ${domainArg}. Generating...`);
+            await this.createAndStoreDKIMKeys(domainArg);
+            const dnsValue = await this.getDNSRecordForDomain(domainArg);
+            await plugins.smartfs.directory(paths.dnsRecordsDir).recursive().create();
+            await plugins.smartfs.file(plugins.path.join(paths.dnsRecordsDir, `${domainArg}.dkimrecord.json`)).write(JSON.stringify(dnsValue, null, 2));
+        }
+    }
+    async handleDKIMKeysForEmail(email) {
+        const domain = email.from.split('@')[1];
+        await this.handleDKIMKeysForDomain(domain);
+    }
+    // Read DKIM keys - always use storage manager, migrate from filesystem if needed
+    async readDKIMKeys(domainArg) {
+        // Try to read from storage manager first
+        if (this.storageManager) {
+            try {
+                const [privateKey, publicKey] = await Promise.all([
+                    this.storageManager.get(`/email/dkim/${domainArg}/private.key`),
+                    this.storageManager.get(`/email/dkim/${domainArg}/public.key`)
+                ]);
+                if (privateKey && publicKey) {
+                    return { privateKey, publicKey };
+                }
+            }
+            catch (error) {
+                // Fall through to migration check
+            }
+            // Check if keys exist in filesystem and migrate them to storage manager
+            const keyPaths = await this.getKeyPathsForDomain(domainArg);
+            try {
+                const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+                    readFile(keyPaths.privateKeyPath),
+                    readFile(keyPaths.publicKeyPath),
+                ]);
+                // Convert the buffers to strings
+                const privateKey = privateKeyBuffer.toString();
+                const publicKey = publicKeyBuffer.toString();
+                // Migrate to storage manager
+                console.log(`Migrating DKIM keys for ${domainArg} from filesystem to StorageManager`);
+                await Promise.all([
+                    this.storageManager.set(`/email/dkim/${domainArg}/private.key`, privateKey),
+                    this.storageManager.set(`/email/dkim/${domainArg}/public.key`, publicKey)
+                ]);
+                return { privateKey, publicKey };
+            }
+            catch (error) {
+                if (error.code === 'ENOENT') {
+                    // Keys don't exist anywhere
+                    throw new Error(`DKIM keys not found for domain ${domainArg}`);
+                }
+                throw error;
+            }
+        }
+        else {
+            // No storage manager, use filesystem directly
+            const keyPaths = await this.getKeyPathsForDomain(domainArg);
+            const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+                readFile(keyPaths.privateKeyPath),
+                readFile(keyPaths.publicKeyPath),
+            ]);
+            const privateKey = privateKeyBuffer.toString();
+            const publicKey = publicKeyBuffer.toString();
+            return { privateKey, publicKey };
+        }
+    }
+    // Create an RSA DKIM key pair - changed to public for API access
+    async createDKIMKeys() {
+        const { privateKey, publicKey } = await generateKeyPair('rsa', {
+            modulusLength: 2048,
+            publicKeyEncoding: { type: 'spki', format: 'pem' },
+            privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+        });
+        return { privateKey, publicKey };
+    }
+    // Create an Ed25519 DKIM key pair (RFC 8463)
+    async createEd25519Keys() {
+        const { privateKey, publicKey } = await generateKeyPair('ed25519', {
+            publicKeyEncoding: { type: 'spki', format: 'pem' },
+            privateKeyEncoding: { type: 'pkcs8', format: 'pem' },
+        });
+        return { privateKey, publicKey };
+    }
+    // Store a DKIM key pair - uses storage manager if available, else disk
+    async storeDKIMKeys(privateKey, publicKey, privateKeyPath, publicKeyPath) {
+        // Store in storage manager if available
+        if (this.storageManager) {
+            // Extract domain from path (e.g., /path/to/keys/example.com-private.pem -> example.com)
+            const match = privateKeyPath.match(/\/([^\/]+)-private\.pem$/);
+            if (match) {
+                const domain = match[1];
+                await Promise.all([
+                    this.storageManager.set(`/email/dkim/${domain}/private.key`, privateKey),
+                    this.storageManager.set(`/email/dkim/${domain}/public.key`, publicKey)
+                ]);
+            }
+        }
+        // Also store to filesystem for backward compatibility
+        await Promise.all([writeFile(privateKeyPath, privateKey), writeFile(publicKeyPath, publicKey)]);
+    }
+    // Create a DKIM key pair and store it to disk - changed to public for API access
+    async createAndStoreDKIMKeys(domain) {
+        const { privateKey, publicKey } = await this.createDKIMKeys();
+        const keyPaths = await this.getKeyPathsForDomain(domain);
+        await this.storeDKIMKeys(privateKey, publicKey, keyPaths.privateKeyPath, keyPaths.publicKeyPath);
+        console.log(`DKIM keys for ${domain} created and stored.`);
+    }
+    // Changed to public for API access
+    async getDNSRecordForDomain(domainArg) {
+        await this.handleDKIMKeysForDomain(domainArg);
+        const keys = await this.readDKIMKeys(domainArg);
+        // Remove the PEM header and footer and newlines
+        const pemHeader = '-----BEGIN PUBLIC KEY-----';
+        const pemFooter = '-----END PUBLIC KEY-----';
+        const keyContents = keys.publicKey
+            .replace(pemHeader, '')
+            .replace(pemFooter, '')
+            .replace(/\n/g, '');
+        // Detect key type from PEM header
+        const keyAlgo = keys.privateKey.includes('ED25519') || keys.publicKey.length < 200 ? 'ed25519' : 'rsa';
+        // Now generate the DKIM DNS TXT record
+        const dnsRecordValue = `v=DKIM1; h=sha256; k=${keyAlgo}; p=${keyContents}`;
+        return {
+            name: `mta._domainkey.${domainArg}`,
+            type: 'TXT',
+            dnsSecEnabled: null,
+            value: dnsRecordValue,
+        };
+    }
+    /**
+     * Get DKIM key metadata for a domain
+     */
+    async getKeyMetadata(domain, selector = 'default') {
+        if (!this.storageManager) {
+            return null;
+        }
+        const metadataKey = `/email/dkim/${domain}/${selector}/metadata`;
+        const metadataStr = await this.storageManager.get(metadataKey);
+        if (!metadataStr) {
+            return null;
+        }
+        return JSON.parse(metadataStr);
+    }
+    /**
+     * Save DKIM key metadata
+     */
+    async saveKeyMetadata(metadata) {
+        if (!this.storageManager) {
+            return;
+        }
+        const metadataKey = `/email/dkim/${metadata.domain}/${metadata.selector}/metadata`;
+        await this.storageManager.set(metadataKey, JSON.stringify(metadata));
+    }
+    /**
+     * Check if DKIM keys need rotation
+     */
+    async needsRotation(domain, selector = 'default', rotationIntervalDays = 90) {
+        const metadata = await this.getKeyMetadata(domain, selector);
+        if (!metadata) {
+            // No metadata means old keys, should rotate
+            return true;
+        }
+        const now = Date.now();
+        const keyAgeMs = now - metadata.createdAt;
+        const keyAgeDays = keyAgeMs / (1000 * 60 * 60 * 24);
+        return keyAgeDays >= rotationIntervalDays;
+    }
+    /**
+     * Rotate DKIM keys for a domain
+     */
+    async rotateDkimKeys(domain, currentSelector = 'default', keySize = 2048) {
+        console.log(`Rotating DKIM keys for ${domain}...`);
+        // Generate new selector based on date
+        const now = new Date();
+        const newSelector = `key${now.getFullYear()}${String(now.getMonth() + 1).padStart(2, '0')}`;
+        // Create new keys with custom key size
+        const { privateKey, publicKey } = await generateKeyPair('rsa', {
+            modulusLength: keySize,
+            publicKeyEncoding: { type: 'spki', format: 'pem' },
+            privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+        });
+        // Store new keys with new selector
+        const newKeyPaths = await this.getKeyPathsForSelector(domain, newSelector);
+        // Store in storage manager if available
+        if (this.storageManager) {
+            await Promise.all([
+                this.storageManager.set(`/email/dkim/${domain}/${newSelector}/private.key`, privateKey),
+                this.storageManager.set(`/email/dkim/${domain}/${newSelector}/public.key`, publicKey)
+            ]);
+        }
+        // Also store to filesystem
+        await this.storeDKIMKeys(privateKey, publicKey, newKeyPaths.privateKeyPath, newKeyPaths.publicKeyPath);
+        // Save metadata for new keys
+        const metadata = {
+            domain,
+            selector: newSelector,
+            createdAt: Date.now(),
+            previousSelector: currentSelector,
+            keySize
+        };
+        await this.saveKeyMetadata(metadata);
+        // Update metadata for old keys
+        const oldMetadata = await this.getKeyMetadata(domain, currentSelector);
+        if (oldMetadata) {
+            oldMetadata.rotatedAt = Date.now();
+            await this.saveKeyMetadata(oldMetadata);
+        }
+        console.log(`DKIM keys rotated for ${domain}. New selector: ${newSelector}`);
+        return newSelector;
+    }
+    /**
+     * Get key paths for a specific selector
+     */
+    async getKeyPathsForSelector(domain, selector) {
+        return {
+            privateKeyPath: plugins.path.join(this.keysDir, `${domain}-${selector}-private.pem`),
+            publicKeyPath: plugins.path.join(this.keysDir, `${domain}-${selector}-public.pem`),
+        };
+    }
+    /**
+     * Read DKIM keys for a specific selector
+     */
+    async readDKIMKeysForSelector(domain, selector) {
+        // Try to read from storage manager first
+        if (this.storageManager) {
+            try {
+                const [privateKey, publicKey] = await Promise.all([
+                    this.storageManager.get(`/email/dkim/${domain}/${selector}/private.key`),
+                    this.storageManager.get(`/email/dkim/${domain}/${selector}/public.key`)
+                ]);
+                if (privateKey && publicKey) {
+                    return { privateKey, publicKey };
+                }
+            }
+            catch (error) {
+                // Fall through to migration check
+            }
+            // Check if keys exist in filesystem and migrate them to storage manager
+            const keyPaths = await this.getKeyPathsForSelector(domain, selector);
+            try {
+                const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+                    readFile(keyPaths.privateKeyPath),
+                    readFile(keyPaths.publicKeyPath),
+                ]);
+                const privateKey = privateKeyBuffer.toString();
+                const publicKey = publicKeyBuffer.toString();
+                // Migrate to storage manager
+                console.log(`Migrating DKIM keys for ${domain}/${selector} from filesystem to StorageManager`);
+                await Promise.all([
+                    this.storageManager.set(`/email/dkim/${domain}/${selector}/private.key`, privateKey),
+                    this.storageManager.set(`/email/dkim/${domain}/${selector}/public.key`, publicKey)
+                ]);
+                return { privateKey, publicKey };
+            }
+            catch (error) {
+                if (error.code === 'ENOENT') {
+                    throw new Error(`DKIM keys not found for domain ${domain} with selector ${selector}`);
+                }
+                throw error;
+            }
+        }
+        else {
+            // No storage manager, use filesystem directly
+            const keyPaths = await this.getKeyPathsForSelector(domain, selector);
+            const [privateKeyBuffer, publicKeyBuffer] = await Promise.all([
+                readFile(keyPaths.privateKeyPath),
+                readFile(keyPaths.publicKeyPath),
+            ]);
+            const privateKey = privateKeyBuffer.toString();
+            const publicKey = publicKeyBuffer.toString();
+            return { privateKey, publicKey };
+        }
+    }
+    /**
+     * Get DNS record for a specific selector
+     */
+    async getDNSRecordForSelector(domain, selector) {
+        const keys = await this.readDKIMKeysForSelector(domain, selector);
+        // Remove the PEM header and footer and newlines
+        const pemHeader = '-----BEGIN PUBLIC KEY-----';
+        const pemFooter = '-----END PUBLIC KEY-----';
+        const keyContents = keys.publicKey
+            .replace(pemHeader, '')
+            .replace(pemFooter, '')
+            .replace(/\n/g, '');
+        // Detect key type from PEM header
+        const keyAlgo = keys.privateKey.includes('ED25519') || keys.publicKey.length < 200 ? 'ed25519' : 'rsa';
+        // Generate the DKIM DNS TXT record
+        const dnsRecordValue = `v=DKIM1; h=sha256; k=${keyAlgo}; p=${keyContents}`;
+        return {
+            name: `${selector}._domainkey.${domain}`,
+            type: 'TXT',
+            dnsSecEnabled: null,
+            value: dnsRecordValue,
+        };
+    }
+    /**
+     * Clean up old DKIM keys after grace period
+     */
+    async cleanupOldKeys(domain, gracePeriodDays = 30) {
+        if (!this.storageManager) {
+            return;
+        }
+        // List all selectors for the domain
+        const metadataKeys = await this.storageManager.list(`/email/dkim/${domain}/`);
+        for (const key of metadataKeys) {
+            if (key.endsWith('/metadata')) {
+                const metadataStr = await this.storageManager.get(key);
+                if (metadataStr) {
+                    const metadata = JSON.parse(metadataStr);
+                    // Check if key is rotated and past grace period
+                    if (metadata.rotatedAt) {
+                        const gracePeriodMs = gracePeriodDays * 24 * 60 * 60 * 1000;
+                        const now = Date.now();
+                        if (now - metadata.rotatedAt > gracePeriodMs) {
+                            console.log(`Cleaning up old DKIM keys for ${domain} selector ${metadata.selector}`);
+                            // Delete key files
+                            const keyPaths = await this.getKeyPathsForSelector(domain, metadata.selector);
+                            try {
+                                await plugins.fs.promises.unlink(keyPaths.privateKeyPath);
+                                await plugins.fs.promises.unlink(keyPaths.publicKeyPath);
+                            }
+                            catch (error) {
+                                console.warn(`Failed to delete old key files: ${error.message}`);
+                            }
+                            // Delete metadata
+                            await this.storageManager.delete(key);
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy5ka2ltY3JlYXRvci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL21haWwvc2VjdXJpdHkvY2xhc3Nlcy5ka2ltY3JlYXRvci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGtCQUFrQixDQUFDO0FBQzVDLE9BQU8sS0FBSyxLQUFLLE1BQU0sZ0JBQWdCLENBQUM7QUFFeEMsT0FBTyxFQUFFLEtBQUssRUFBRSxNQUFNLDBCQUEwQixDQUFDO0FBQ2pELCtCQUErQjtBQUUvQixNQUFNLFFBQVEsR0FBRyxPQUFPLENBQUMsSUFBSSxDQUFDLFNBQVMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDLFFBQVEsQ0FBQyxDQUFDO0FBQzdELE1BQU0sU0FBUyxHQUFHLE9BQU8sQ0FBQyxJQUFJLENBQUMsU0FBUyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUMsU0FBUyxDQUFDLENBQUM7QUFDL0QsTUFBTSxlQUFlLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxlQUFlLENBQUMsQ0FBQztBQWdCL0UsTUFBTSxPQUFPLFdBQVc7SUFDZCxPQUFPLENBQVM7SUFDaEIsY0FBYyxDQUFPLENBQUMsMEJBQTBCO0lBRXhELFlBQVksT0FBTyxHQUFHLEtBQUssQ0FBQyxPQUFPLEVBQUUsY0FBb0I7UUFDdkQsSUFBSSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUM7UUFDdkIsSUFBSSxDQUFDLGNBQWMsR0FBRyxjQUFjLENBQUM7SUFDdkMsQ0FBQztJQUVNLEtBQUssQ0FBQyxvQkFBb0IsQ0FBQyxTQUFpQjtRQUNqRCxPQUFPO1lBQ0wsY0FBYyxFQUFFLE9BQU8sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxPQUFPLEVBQUUsR0FBRyxTQUFTLGNBQWMsQ0FBQztZQUMzRSxhQUFhLEVBQUUsT0FBTyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxHQUFHLFNBQVMsYUFBYSxDQUFDO1NBQzFFLENBQUM7SUFDSixDQUFDO0lBRUQsaUZBQWlGO0lBQzFFLEtBQUssQ0FBQyx1QkFBdUIsQ0FBQyxTQUFpQjtRQUNwRCxJQUFJLENBQUM7WUFDSCxNQUFNLElBQUksQ0FBQyxZQUFZLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDckMsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDZixPQUFPLENBQUMsR0FBRyxDQUFDLDBCQUEwQixTQUFTLGlCQUFpQixDQUFDLENBQUM7WUFDbEUsTUFBTSxJQUFJLENBQUMsc0JBQXNCLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDN0MsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMscUJBQXFCLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDN0QsTUFBTSxPQUFPLENBQUMsT0FBTyxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUMsYUFBYSxDQUFDLENBQUMsU0FBUyxFQUFFLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDMUUsTUFBTSxPQUFPLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsYUFBYSxFQUFFLEdBQUcsU0FBUyxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxTQUFTLENBQUMsUUFBUSxFQUFFLElBQUksRUFBRSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQzlJLENBQUM7SUFDSCxDQUFDO0lBRU0sS0FBSyxDQUFDLHNCQUFzQixDQUFDLEtBQVk7UUFDOUMsTUFBTSxNQUFNLEdBQUcsS0FBSyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDeEMsTUFBTSxJQUFJLENBQUMsdUJBQXVCLENBQUMsTUFBTSxDQUFDLENBQUM7SUFDN0MsQ0FBQztJQUVELGlGQUFpRjtJQUMxRSxLQUFLLENBQUMsWUFBWSxDQUFDLFNBQWlCO1FBQ3pDLHlDQUF5QztRQUN6QyxJQUFJLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUN4QixJQUFJLENBQUM7Z0JBQ0gsTUFBTSxDQUFDLFVBQVUsRUFBRSxTQUFTLENBQUMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7b0JBQ2hELElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLGVBQWUsU0FBUyxjQUFjLENBQUM7b0JBQy9ELElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLGVBQWUsU0FBUyxhQUFhLENBQUM7aUJBQy9ELENBQUMsQ0FBQztnQkFFSCxJQUFJLFVBQVUsSUFBSSxTQUFTLEVBQUUsQ0FBQztvQkFDNUIsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztnQkFDbkMsQ0FBQztZQUNILENBQUM7WUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO2dCQUNmLGtDQUFrQztZQUNwQyxDQUFDO1lBRUQsd0VBQXdFO1lBQ3hFLE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLG9CQUFvQixDQUFDLFNBQVMsQ0FBQyxDQUFDO1lBQzVELElBQUksQ0FBQztnQkFDSCxNQUFNLENBQUMsZ0JBQWdCLEVBQUUsZUFBZSxDQUFDLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDO29CQUM1RCxRQUFRLENBQUMsUUFBUSxDQUFDLGNBQWMsQ0FBQztvQkFDakMsUUFBUSxDQUFDLFFBQVEsQ0FBQyxhQUFhLENBQUM7aUJBQ2pDLENBQUMsQ0FBQztnQkFFSCxpQ0FBaUM7Z0JBQ2pDLE1BQU0sVUFBVSxHQUFHLGdCQUFnQixDQUFDLFFBQVEsRUFBRSxDQUFDO2dCQUMvQyxNQUFNLFNBQVMsR0FBRyxlQUFlLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBRTdDLDZCQUE2QjtnQkFDN0IsT0FBTyxDQUFDLEdBQUcsQ0FBQywyQkFBMkIsU0FBUyxvQ0FBb0MsQ0FBQyxDQUFDO2dCQUN0RixNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7b0JBQ2hCLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLGVBQWUsU0FBUyxjQUFjLEVBQUUsVUFBVSxDQUFDO29CQUMzRSxJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsQ0FBQyxlQUFlLFNBQVMsYUFBYSxFQUFFLFNBQVMsQ0FBQztpQkFDMUUsQ0FBQyxDQUFDO2dCQUVILE9BQU8sRUFBRSxVQUFVLEVBQUUsU0FBUyxFQUFFLENBQUM7WUFDbkMsQ0FBQztZQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7Z0JBQ2YsSUFBSSxLQUFLLENBQUMsSUFBSSxLQUFLLFFBQVEsRUFBRSxDQUFDO29CQUM1Qiw0QkFBNEI7b0JBQzVCLE1BQU0sSUFBSSxLQUFLLENBQUMsa0NBQWtDLFNBQVMsRUFBRSxDQUFDLENBQUM7Z0JBQ2pFLENBQUM7Z0JBQ0QsTUFBTSxLQUFLLENBQUM7WUFDZCxDQUFDO1FBQ0gsQ0FBQzthQUFNLENBQUM7WUFDTiw4Q0FBOEM7WUFDOUMsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsb0JBQW9CLENBQUMsU0FBUyxDQUFDLENBQUM7WUFDNUQsTUFBTSxDQUFDLGdCQUFnQixFQUFFLGVBQWUsQ0FBQyxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztnQkFDNUQsUUFBUSxDQUFDLFFBQVEsQ0FBQyxjQUFjLENBQUM7Z0JBQ2pDLFFBQVEsQ0FBQyxRQUFRLENBQUMsYUFBYSxDQUFDO2FBQ2pDLENBQUMsQ0FBQztZQUVILE1BQU0sVUFBVSxHQUFHLGdCQUFnQixDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQy9DLE1BQU0sU0FBUyxHQUFHLGVBQWUsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUU3QyxPQUFPLEVBQUUsVUFBVSxFQUFFLFNBQVMsRUFBRSxDQUFDO1FBQ25DLENBQUM7SUFDSCxDQUFDO0lBRUQsaUVBQWlFO0lBQzFELEtBQUssQ0FBQyxjQUFjO1FBQ3pCLE1BQU0sRUFBRSxVQUFVLEVBQUUsU0FBUyxFQUFFLEdBQUcsTUFBTSxlQUFlLENBQUMsS0FBSyxFQUFFO1lBQzdELGFBQWEsRUFBRSxJQUFJO1lBQ25CLGlCQUFpQixFQUFFLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFO1lBQ2xELGtCQUFrQixFQUFFLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFO1NBQ3JELENBQUMsQ0FBQztRQUVILE9BQU8sRUFBRSxVQUFVLEVBQUUsU0FBUyxFQUFFLENBQUM7SUFDbkMsQ0FBQztJQUVELDZDQUE2QztJQUN0QyxLQUFLLENBQUMsaUJBQWlCO1FBQzVCLE1BQU0sRUFBRSxVQUFVLEVBQUUsU0FBUyxFQUFFLEdBQUcsTUFBTSxlQUFlLENBQUMsU0FBUyxFQUFFO1lBQ2pFLGlCQUFpQixFQUFFLEVBQUUsSUFBSSxFQUFFLE1BQU0sRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFO1lBQ2xELGtCQUFrQixFQUFFLEVBQUUsSUFBSSxFQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsS0FBSyxFQUFFO1NBQ3JELENBQUMsQ0FBQztRQUVILE9BQU8sRUFBRSxVQUFVLEVBQUUsU0FBUyxFQUFFLENBQUM7SUFDbkMsQ0FBQztJQUVELHVFQUF1RTtJQUNoRSxLQUFLLENBQUMsYUFBYSxDQUN4QixVQUFrQixFQUNsQixTQUFpQixFQUNqQixjQUFzQixFQUN0QixhQUFxQjtRQUVyQix3Q0FBd0M7UUFDeEMsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDeEIsd0ZBQXdGO1lBQ3hGLE1BQU0sS0FBSyxHQUFHLGNBQWMsQ0FBQyxLQUFLLENBQUMsMEJBQTBCLENBQUMsQ0FBQztZQUMvRCxJQUFJLEtBQUssRUFBRSxDQUFDO2dCQUNWLE1BQU0sTUFBTSxHQUFHLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQztnQkFDeEIsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDO29CQUNoQixJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsQ0FBQyxlQUFlLE1BQU0sY0FBYyxFQUFFLFVBQVUsQ0FBQztvQkFDeEUsSUFBSSxDQUFDLGNBQWMsQ0FBQyxHQUFHLENBQUMsZUFBZSxNQUFNLGFBQWEsRUFBRSxTQUFTLENBQUM7aUJBQ3ZFLENBQUMsQ0FBQztZQUNMLENBQUM7UUFDSCxDQUFDO1FBRUQsc0RBQXNEO1FBQ3RELE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxjQUFjLEVBQUUsVUFBVSxDQUFDLEVBQUUsU0FBUyxDQUFDLGFBQWEsRUFBRSxTQUFTLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDbEcsQ0FBQztJQUVELGlGQUFpRjtJQUMxRSxLQUFLLENBQUMsc0JBQXNCLENBQUMsTUFBYztRQUNoRCxNQUFNLEVBQUUsVUFBVSxFQUFFLFNBQVMsRUFBRSxHQUFHLE1BQU0sSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1FBQzlELE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLG9CQUFvQixDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3pELE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FDdEIsVUFBVSxFQUNWLFNBQVMsRUFDVCxRQUFRLENBQUMsY0FBYyxFQUN2QixRQUFRLENBQUMsYUFBYSxDQUN2QixDQUFDO1FBQ0YsT0FBTyxDQUFDLEdBQUcsQ0FBQyxpQkFBaUIsTUFBTSxzQkFBc0IsQ0FBQyxDQUFDO0lBQzdELENBQUM7SUFFRCxtQ0FBbUM7SUFDNUIsS0FBSyxDQUFDLHFCQUFxQixDQUFDLFNBQWlCO1FBQ2xELE1BQU0sSUFBSSxDQUFDLHVCQUF1QixDQUFDLFNBQVMsQ0FBQyxDQUFDO1FBQzlDLE1BQU0sSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLFlBQVksQ0FBQyxTQUFTLENBQUMsQ0FBQztRQUVoRCxnREFBZ0Q7UUFDaEQsTUFBTSxTQUFTLEdBQUcsNEJBQTRCLENBQUM7UUFDL0MsTUFBTSxTQUFTLEdBQUcsMEJBQTBCLENBQUM7UUFDN0MsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLFNBQVM7YUFDL0IsT0FBTyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUM7YUFDdEIsT0FBTyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUM7YUFDdEIsT0FBTyxDQUFDLEtBQUssRUFBRSxFQUFFLENBQUMsQ0FBQztRQUV0QixrQ0FBa0M7UUFDbEMsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsU0FBUyxDQUFDLElBQUksSUFBSSxDQUFDLFNBQVMsQ0FBQyxNQUFNLEdBQUcsR0FBRyxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQztRQUV2Ryx1Q0FBdUM7UUFDdkMsTUFBTSxjQUFjLEdBQUcsd0JBQXdCLE9BQU8sT0FBTyxXQUFXLEVBQUUsQ0FBQztRQUUzRSxPQUFPO1lBQ0wsSUFBSSxFQUFFLGtCQUFrQixTQUFTLEVBQUU7WUFDbkMsSUFBSSxFQUFFLEtBQUs7WUFDWCxhQUFhLEVBQUUsSUFBSTtZQUNuQixLQUFLLEVBQUUsY0FBYztTQUN0QixDQUFDO0lBQ0osQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGNBQWMsQ0FBQyxNQUFjLEVBQUUsV0FBbUIsU0FBUztRQUN2RSxJQUFJLENBQUMsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3pCLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE1BQU0sV0FBVyxHQUFHLGVBQWUsTUFBTSxJQUFJLFFBQVEsV0FBVyxDQUFDO1FBQ2pFLE1BQU0sV0FBVyxHQUFHLE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxHQUFHLENBQUMsV0FBVyxDQUFDLENBQUM7UUFFL0QsSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ2pCLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDLEtBQUssQ0FBQyxXQUFXLENBQXFCLENBQUM7SUFDckQsQ0FBQztJQUVEOztPQUVHO0lBQ0ssS0FBSyxDQUFDLGVBQWUsQ0FBQyxRQUEwQjtRQUN0RCxJQUFJLENBQUMsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3pCLE9BQU87UUFDVCxDQUFDO1FBRUQsTUFBTSxXQUFXLEdBQUcsZUFBZSxRQUFRLENBQUMsTUFBTSxJQUFJLFFBQVEsQ0FBQyxRQUFRLFdBQVcsQ0FBQztRQUNuRixNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLFdBQVcsRUFBRSxJQUFJLENBQUMsU0FBUyxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUM7SUFDdkUsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGFBQWEsQ0FBQyxNQUFjLEVBQUUsV0FBbUIsU0FBUyxFQUFFLHVCQUErQixFQUFFO1FBQ3hHLE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUM7UUFFN0QsSUFBSSxDQUFDLFFBQVEsRUFBRSxDQUFDO1lBQ2QsNENBQTRDO1lBQzVDLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixNQUFNLFFBQVEsR0FBRyxHQUFHLEdBQUcsUUFBUSxDQUFDLFNBQVMsQ0FBQztRQUMxQyxNQUFNLFVBQVUsR0FBRyxRQUFRLEdBQUcsQ0FBQyxJQUFJLEdBQUcsRUFBRSxHQUFHLEVBQUUsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUVwRCxPQUFPLFVBQVUsSUFBSSxvQkFBb0IsQ0FBQztJQUM1QyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsY0FBYyxDQUFDLE1BQWMsRUFBRSxrQkFBMEIsU0FBUyxFQUFFLFVBQWtCLElBQUk7UUFDckcsT0FBTyxDQUFDLEdBQUcsQ0FBQywwQkFBMEIsTUFBTSxLQUFLLENBQUMsQ0FBQztRQUVuRCxzQ0FBc0M7UUFDdEMsTUFBTSxHQUFHLEdBQUcsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUN2QixNQUFNLFdBQVcsR0FBRyxNQUFNLEdBQUcsQ0FBQyxXQUFXLEVBQUUsR0FBRyxNQUFNLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRSxHQUFHLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxDQUFDLEVBQUUsR0FBRyxDQUFDLEVBQUUsQ0FBQztRQUU1Rix1Q0FBdUM7UUFDdkMsTUFBTSxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsR0FBRyxNQUFNLGVBQWUsQ0FBQyxLQUFLLEVBQUU7WUFDN0QsYUFBYSxFQUFFLE9BQU87WUFDdEIsaUJBQWlCLEVBQUUsRUFBRSxJQUFJLEVBQUUsTUFBTSxFQUFFLE1BQU0sRUFBRSxLQUFLLEVBQUU7WUFDbEQsa0JBQWtCLEVBQUUsRUFBRSxJQUFJLEVBQUUsT0FBTyxFQUFFLE1BQU0sRUFBRSxLQUFLLEVBQUU7U0FDckQsQ0FBQyxDQUFDO1FBRUgsbUNBQW1DO1FBQ25DLE1BQU0sV0FBVyxHQUFHLE1BQU0sSUFBSSxDQUFDLHNCQUFzQixDQUFDLE1BQU0sRUFBRSxXQUFXLENBQUMsQ0FBQztRQUUzRSx3Q0FBd0M7UUFDeEMsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDeEIsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDO2dCQUNoQixJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsQ0FBQyxlQUFlLE1BQU0sSUFBSSxXQUFXLGNBQWMsRUFBRSxVQUFVLENBQUM7Z0JBQ3ZGLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLGVBQWUsTUFBTSxJQUFJLFdBQVcsYUFBYSxFQUFFLFNBQVMsQ0FBQzthQUN0RixDQUFDLENBQUM7UUFDTCxDQUFDO1FBRUQsMkJBQTJCO1FBQzNCLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FDdEIsVUFBVSxFQUNWLFNBQVMsRUFDVCxXQUFXLENBQUMsY0FBYyxFQUMxQixXQUFXLENBQUMsYUFBYSxDQUMxQixDQUFDO1FBRUYsNkJBQTZCO1FBQzdCLE1BQU0sUUFBUSxHQUFxQjtZQUNqQyxNQUFNO1lBQ04sUUFBUSxFQUFFLFdBQVc7WUFDckIsU0FBUyxFQUFFLElBQUksQ0FBQyxHQUFHLEVBQUU7WUFDckIsZ0JBQWdCLEVBQUUsZUFBZTtZQUNqQyxPQUFPO1NBQ1IsQ0FBQztRQUNGLE1BQU0sSUFBSSxDQUFDLGVBQWUsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUVyQywrQkFBK0I7UUFDL0IsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLE1BQU0sRUFBRSxlQUFlLENBQUMsQ0FBQztRQUN2RSxJQUFJLFdBQVcsRUFBRSxDQUFDO1lBQ2hCLFdBQVcsQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1lBQ25DLE1BQU0sSUFBSSxDQUFDLGVBQWUsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUMxQyxDQUFDO1FBRUQsT0FBTyxDQUFDLEdBQUcsQ0FBQyx5QkFBeUIsTUFBTSxtQkFBbUIsV0FBVyxFQUFFLENBQUMsQ0FBQztRQUM3RSxPQUFPLFdBQVcsQ0FBQztJQUNyQixDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsc0JBQXNCLENBQUMsTUFBYyxFQUFFLFFBQWdCO1FBQ2xFLE9BQU87WUFDTCxjQUFjLEVBQUUsT0FBTyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxHQUFHLE1BQU0sSUFBSSxRQUFRLGNBQWMsQ0FBQztZQUNwRixhQUFhLEVBQUUsT0FBTyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE9BQU8sRUFBRSxHQUFHLE1BQU0sSUFBSSxRQUFRLGFBQWEsQ0FBQztTQUNuRixDQUFDO0lBQ0osQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLHVCQUF1QixDQUFDLE1BQWMsRUFBRSxRQUFnQjtRQUNuRSx5Q0FBeUM7UUFDekMsSUFBSSxJQUFJLENBQUMsY0FBYyxFQUFFLENBQUM7WUFDeEIsSUFBSSxDQUFDO2dCQUNILE1BQU0sQ0FBQyxVQUFVLEVBQUUsU0FBUyxDQUFDLEdBQUcsTUFBTSxPQUFPLENBQUMsR0FBRyxDQUFDO29CQUNoRCxJQUFJLENBQUMsY0FBYyxDQUFDLEdBQUcsQ0FBQyxlQUFlLE1BQU0sSUFBSSxRQUFRLGNBQWMsQ0FBQztvQkFDeEUsSUFBSSxDQUFDLGNBQWMsQ0FBQyxHQUFHLENBQUMsZUFBZSxNQUFNLElBQUksUUFBUSxhQUFhLENBQUM7aUJBQ3hFLENBQUMsQ0FBQztnQkFFSCxJQUFJLFVBQVUsSUFBSSxTQUFTLEVBQUUsQ0FBQztvQkFDNUIsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztnQkFDbkMsQ0FBQztZQUNILENBQUM7WUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO2dCQUNmLGtDQUFrQztZQUNwQyxDQUFDO1lBRUQsd0VBQXdFO1lBQ3hFLE1BQU0sUUFBUSxHQUFHLE1BQU0sSUFBSSxDQUFDLHNCQUFzQixDQUFDLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztZQUNyRSxJQUFJLENBQUM7Z0JBQ0gsTUFBTSxDQUFDLGdCQUFnQixFQUFFLGVBQWUsQ0FBQyxHQUFHLE1BQU0sT0FBTyxDQUFDLEdBQUcsQ0FBQztvQkFDNUQsUUFBUSxDQUFDLFFBQVEsQ0FBQyxjQUFjLENBQUM7b0JBQ2pDLFFBQVEsQ0FBQyxRQUFRLENBQUMsYUFBYSxDQUFDO2lCQUNqQyxDQUFDLENBQUM7Z0JBRUgsTUFBTSxVQUFVLEdBQUcsZ0JBQWdCLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBQy9DLE1BQU0sU0FBUyxHQUFHLGVBQWUsQ0FBQyxRQUFRLEVBQUUsQ0FBQztnQkFFN0MsNkJBQTZCO2dCQUM3QixPQUFPLENBQUMsR0FBRyxDQUFDLDJCQUEyQixNQUFNLElBQUksUUFBUSxvQ0FBb0MsQ0FBQyxDQUFDO2dCQUMvRixNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7b0JBQ2hCLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLGVBQWUsTUFBTSxJQUFJLFFBQVEsY0FBYyxFQUFFLFVBQVUsQ0FBQztvQkFDcEYsSUFBSSxDQUFDLGNBQWMsQ0FBQyxHQUFHLENBQUMsZUFBZSxNQUFNLElBQUksUUFBUSxhQUFhLEVBQUUsU0FBUyxDQUFDO2lCQUNuRixDQUFDLENBQUM7Z0JBRUgsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztZQUNuQyxDQUFDO1lBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztnQkFDZixJQUFJLEtBQUssQ0FBQyxJQUFJLEtBQUssUUFBUSxFQUFFLENBQUM7b0JBQzVCLE1BQU0sSUFBSSxLQUFLLENBQUMsa0NBQWtDLE1BQU0sa0JBQWtCLFFBQVEsRUFBRSxDQUFDLENBQUM7Z0JBQ3hGLENBQUM7Z0JBQ0QsTUFBTSxLQUFLLENBQUM7WUFDZCxDQUFDO1FBQ0gsQ0FBQzthQUFNLENBQUM7WUFDTiw4Q0FBOEM7WUFDOUMsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsc0JBQXNCLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQ3JFLE1BQU0sQ0FBQyxnQkFBZ0IsRUFBRSxlQUFlLENBQUMsR0FBRyxNQUFNLE9BQU8sQ0FBQyxHQUFHLENBQUM7Z0JBQzVELFFBQVEsQ0FBQyxRQUFRLENBQUMsY0FBYyxDQUFDO2dCQUNqQyxRQUFRLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQzthQUNqQyxDQUFDLENBQUM7WUFFSCxNQUFNLFVBQVUsR0FBRyxnQkFBZ0IsQ0FBQyxRQUFRLEVBQUUsQ0FBQztZQUMvQyxNQUFNLFNBQVMsR0FBRyxlQUFlLENBQUMsUUFBUSxFQUFFLENBQUM7WUFFN0MsT0FBTyxFQUFFLFVBQVUsRUFBRSxTQUFTLEVBQUUsQ0FBQztRQUNuQyxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLHVCQUF1QixDQUFDLE1BQWMsRUFBRSxRQUFnQjtRQUNuRSxNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUM7UUFFbEUsZ0RBQWdEO1FBQ2hELE1BQU0sU0FBUyxHQUFHLDRCQUE0QixDQUFDO1FBQy9DLE1BQU0sU0FBUyxHQUFHLDBCQUEwQixDQUFDO1FBQzdDLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxTQUFTO2FBQy9CLE9BQU8sQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUFDO2FBQ3RCLE9BQU8sQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUFDO2FBQ3RCLE9BQU8sQ0FBQyxLQUFLLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFdEIsa0NBQWtDO1FBQ2xDLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQyxJQUFJLElBQUksQ0FBQyxTQUFTLENBQUMsTUFBTSxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUM7UUFFdkcsbUNBQW1DO1FBQ25DLE1BQU0sY0FBYyxHQUFHLHdCQUF3QixPQUFPLE9BQU8sV0FBVyxFQUFFLENBQUM7UUFFM0UsT0FBTztZQUNMLElBQUksRUFBRSxHQUFHLFFBQVEsZUFBZSxNQUFNLEVBQUU7WUFDeEMsSUFBSSxFQUFFLEtBQUs7WUFDWCxhQUFhLEVBQUUsSUFBSTtZQUNuQixLQUFLLEVBQUUsY0FBYztTQUN0QixDQUFDO0lBQ0osQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGNBQWMsQ0FBQyxNQUFjLEVBQUUsa0JBQTBCLEVBQUU7UUFDdEUsSUFBSSxDQUFDLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUN6QixPQUFPO1FBQ1QsQ0FBQztRQUVELG9DQUFvQztRQUNwQyxNQUFNLFlBQVksR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDLGVBQWUsTUFBTSxHQUFHLENBQUMsQ0FBQztRQUU5RSxLQUFLLE1BQU0sR0FBRyxJQUFJLFlBQVksRUFBRSxDQUFDO1lBQy9CLElBQUksR0FBRyxDQUFDLFFBQVEsQ0FBQyxXQUFXLENBQUMsRUFBRSxDQUFDO2dCQUM5QixNQUFNLFdBQVcsR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDO2dCQUN2RCxJQUFJLFdBQVcsRUFBRSxDQUFDO29CQUNoQixNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLFdBQVcsQ0FBcUIsQ0FBQztvQkFFN0QsZ0RBQWdEO29CQUNoRCxJQUFJLFFBQVEsQ0FBQyxTQUFTLEVBQUUsQ0FBQzt3QkFDdkIsTUFBTSxhQUFhLEdBQUcsZUFBZSxHQUFHLEVBQUUsR0FBRyxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQzt3QkFDNUQsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO3dCQUV2QixJQUFJLEdBQUcsR0FBRyxRQUFRLENBQUMsU0FBUyxHQUFHLGFBQWEsRUFBRSxDQUFDOzRCQUM3QyxPQUFPLENBQUMsR0FBRyxDQUFDLGlDQUFpQyxNQUFNLGFBQWEsUUFBUSxDQUFDLFFBQVEsRUFBRSxDQUFDLENBQUM7NEJBRXJGLG1CQUFtQjs0QkFDbkIsTUFBTSxRQUFRLEdBQUcsTUFBTSxJQUFJLENBQUMsc0JBQXNCLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxRQUFRLENBQUMsQ0FBQzs0QkFDOUUsSUFBSSxDQUFDO2dDQUNILE1BQU0sT0FBTyxDQUFDLEVBQUUsQ0FBQyxRQUFRLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxjQUFjLENBQUMsQ0FBQztnQ0FDMUQsTUFBTSxPQUFPLENBQUMsRUFBRSxDQUFDLFFBQVEsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLGFBQWEsQ0FBQyxDQUFDOzRCQUMzRCxDQUFDOzRCQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7Z0NBQ2YsT0FBTyxDQUFDLElBQUksQ0FBQyxtQ0FBbUMsS0FBSyxDQUFDLE9BQU8sRUFBRSxDQUFDLENBQUM7NEJBQ25FLENBQUM7NEJBRUQsa0JBQWtCOzRCQUNsQixNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO3dCQUN4QyxDQUFDO29CQUNILENBQUM7Z0JBQ0gsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=